Wednesday, September 2, 2015

Android Safe is no more... Long live AndSafe

Back in 2009, I got my first Android phone - the HTC Magic which ran Android 1.5. There were only handful of apps available on Android Market (now Google Play). I wanted something to replace my Palm Pilot MemoAES but couldn't find something that was simple to use and secure (e.g. no network permission). So I decided to write my own and later I released the Android Safe as freeware.

Fast forward to 2014. In Sep I received an email from Google saying that "The use of 'Android' in your title is not compliant with Android branding guidelines" and they would suspend my app unless I rename my app.

To be honest, I developed the app for my own use. I put it on Android Market / Google Play just to share it in case someone out there wanted similar things. I wasn't making any money out of it. So I didn't do anything and eventually Google removed my app from Market.

In 2015, I finally got some time to sit down to see how I can improve Android Safe:

- it used 256-bit AES with ECB mode. I picked ECB because I was lazy to implement a secure way to generate the IV. Also, most of my memos are short (e.g. password, PIN etc) and without pattern. So ECB was fine. But if I am going to re-do it again, maybe I will use CBC instead

- 1024-round of PBKDF2 was used to generate the encryption key. It was OK back then, but now I prefer to use something that is more CPU intensive and can stand against ASIC attacks. After comparing bcrypt and scrypt, I decided to go with scrypt. Theoretically scrypt is better than bcrypt, but scrypt is newer and this is usually a bad thing in cryptography as there are not enough cryptoanalysis done against it. But anyway, I am using it as a key generator rather than cipher, so it is good enough for me.

- JNI library was used to accelerate the PBKDF2 key generation. Back then, the Android NDK only supported ARM platform. Now the app should compile for x86 and MIPS too